Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#23216 - [shadow] strncpy misused in login

Attached to Project: Arch Linux
Opened by A Web (aweb) - Thursday, 10 March 2011, 07:59 GMT
Last edited by Eric Belanger (Snowman) - Sunday, 26 June 2011, 17:00 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Eric Belanger (Snowman)
Aaron Griffin (phrakture)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

There are two places in the shadow package where the strncpy function is mis-used. strncpy does not guarantee that the output string is NUL-terminated, yet subsequent code assumes that the output string does, in fact, end with a 0 byte.

This is not super-easy to exploit, but on a machine with a very long hostname *and* an attacker who can control the LOCALE and make a long localized string for "login: ", this will lead to a buffer overrun.

One possible fix is to replace the calls to strncpy with calls to strlcpy. In fact, strlcpy is precisely designed to avoid these kinds of bugs. You could accomplish this by applying the following patch in the shadow package.

This bug occurs upstream, but I was unable to get the upstream bugtracker to give me an account, so was unable to report it there. My hope is that it could at least be fixed in arch, or that if the arch package maintainers have upstream reporting privileges, they can relay the issue.

diff -ur shadow-4.1.4.3.orig/src/login.c shadow-4.1.4.3/src/login.c
--- shadow-4.1.4.3.orig/src/login.c 2011-03-09 23:50:02.234765395 -0800
+++ shadow-4.1.4.3/src/login.c 2011-03-09 23:50:24.033729799 -0800
@@ -748,7 +748,7 @@
sizeof (loginprompt),
_("%s login: "), hostn);
} else {
- strncpy (loginprompt, _("login: "),
+ strlcpy (loginprompt, _("login: "),
sizeof (loginprompt));
}

diff -ur shadow-4.1.4.3.orig/src/usermod.c shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3.orig/src/usermod.c 2011-03-09 23:50:02.234765395 -0800
+++ shadow-4.1.4.3/src/usermod.c 2011-03-09 23:50:33.614739810 -0800
@@ -182,7 +182,7 @@
struct tm *tp;

if ((negativ != NULL) && (date < 0)) {
- strncpy (buf, negativ, maxsize);
+ strlcpy (buf, negativ, maxsize);
} else {
time_t t = (time_t) date;
tp = gmtime (&t);

This task depends upon

Closed by  Eric Belanger (Snowman)
Sunday, 26 June 2011, 17:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in shadow-4.1.4.3-2 in testing
Comment by Gaetan Bisson (vesath) - Thursday, 10 March 2011, 10:24 GMT
There are many ways to report bugs upstream: http://pkg-shadow.alioth.debian.org/getinvolved.php
Sending a message to the mailing list or creating a bug report in http://www.debian.org/Bugs/ should not require special privilege.
Be sure to post the URL of your bug report upstream as a comment here once it is send.
Comment by A Web (aweb) - Thursday, 10 March 2011, 11:10 GMT
Well, the alioth bug tracking system doesn't seem to create an account for me. I get the email confirmation, confirm my email address, but when I try to log in it says my user doesn't exist.

I did try to send to the mailing list also, but my mail seemed to disappear, probably in some spam quarantine.

Anyway, while not a huge deal, this is a security issue. And the fix is trivial--two characters. Thus, I hope one way or another it can be fixed in arch.
Comment by A Web (aweb) - Thursday, 10 March 2011, 11:18 GMT
Just tried again on alioth, and same thing. I register. I get the email. I click the email verification URL. Then I get some sort of database error, and it won't let me log in saying the user does not exist. But if I try to re-create the account, it says the user name is not available.

It appears the only viable way to report the bug upstream (for those who don't already have an account) is to use the sendbug utility, but since I don't have a debian box, I can't do this.
Comment by Gaetan Bisson (vesath) - Thursday, 10 March 2011, 11:31 GMT
The Alioth tracker has a total of six reports in it, so it does not seem to be very much used.
You can send a bug report to Debian via email (without reportbug) as explained here: http://www.debian.org/Bugs/Reporting

Edit:
- The six bug reports were only for shadow, so disregard my comment above. :)
- It would not be very constructive to just fix this in Arch and not notify upstream about it.
Comment by Eric Belanger (Snowman) - Monday, 20 June 2011, 06:33 GMT
It was already reported upstream:
http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2011-March/008554.html

There was no answer and most emails in that ML are spam. I'll probably just patch the package.
Comment by A Web (aweb) - Monday, 20 June 2011, 17:15 GMT
That upstream bug report is in fact mine. I thought my mail had disappeared into a spam filter, but in fact it just got drowned out by spam on a list nobody reads. I'll be glad to see this fixed in arch.

If anyone has access to debian it might be nice to notify them using sendbug, but at this point I wouldn't hold my breath for a fix in debian...

Loading...